This project born in 2006 in order to provide a framework to all Owasp projects developing code review services. The project is in a quite stable stage and it is usable for Java static code review and some dynamic tests against XSS. Owasp Orizon includes also APIs for code crawling, usable for code crawling tools.

Overview

The quest for secure code is what all developers want to achieve (at least we hope so). Software must be reliable. Software must be strong. Software must be secure.

How secure does my software have to be? The correct answer is hard to find. But security is a problem that even a development team must consider.

Should skilled developers also be security gurus? Not necessarily, but it is important to provide security tools that will augment their development skills. And so our quest for secure code begins...

The OWASP Orizon project was created with the aim of providing a common ground for safe coding and code review methodologies to be applied to software. The project is approaching its first major release and it will be able to be used in a production environment in the near future.

Orizon must give thanks to Findbugs, the OWASP LAPSE Project, RATS, and Flawfinder for ideas and inspiration.

Download

Dawn

In September 2007, while hacking around release 0.50, a decision was made to introduce dynamic code review facilities – first for the Java language. Dawn was chosen as the name of this new feature in Orizon.

The project team believes that this will be the most cutting edge technology inside of Orizon; it will help developers rise from buggy and unsafe code to hardened and secure code; hence, the name dawn for all related dynamic code review.

Dawn was implemented in Orizon release 0.45pre1.

Bastion

Around March 2007, feedback from stressing the importance of reviewing code for security issues brought about the realization that a more lightweight solution needed to be provided for those that were afraid of undertaking a full code review activity, or simply for those who wanted a quickie until the security review was completed..

For this reason, a parallel project called Bastion was realized in order to provide Java developers with classes that embed security checks in their core, giving them a quick fix without having to change too much code.

Please understand that Bastion will not come close to substituting for robust security coding, but it will provide some minimal secure coding functionality while full-fledged secure coding is being undertaken in other parts of the application.

A very simple web application that demonstrates how to use Bastion to fix a very generic Cross Site Scripting attack by changing a single line of code can be found
here. To use it, point your browser to http://<domain name>/bastion_test and follow the instructions.

The Bastion test application is built against a very old Orizon version when Bastion was still contained inside of Orizon. Because the current focus of the project is on the Orizon APIs, the Bastion code remains unchanged since April.

A few words need to be said here; there is no intention to reinvent the wheel. The Web is full of libraries that sanitize source code in order to mitigate an attack on a web application. Bastion is just our small contribution to the community; we really hope that you'll appreciate it.

The library

For a code review tool, the most important factor is its knowledge, which are the security checks that is applied to the source code. No matter how many features a tool has or how fancy is its UI, a poor security check library means that the tool is useless.

Orizon organizes safe coding best practices in XML rules that are contained in files called recipes. The mantra chosen for the project is that "coding is like cooking" and the goal is to choose the correct set of recipes.

Recipes are gathered together in a zip file named Library.

Following is the layout of the knowledge inside of Orizon.

The XML schema

The Orizon XML schema used to describe secure coding checks can be difficult to read. On this page, more details about how an XML rule is built can be found.

I will talk to SMAU eAcademy2006 next Saturday 7th October 2006 about code review and safe coding. Here you can find more information (for now, only in Italian)..
The last part of the speech will be about introducing the Orizon project and giving a development roadmap.

2.10.2006

OWASP Orizon Project Created! - 09:24, 2 October 2006 (EDT)

The Open Web Application Security Project is proud to announce the OWASP Orizon Project!

Feedback and Participation:

Orizon wants you
Of course, as opensource project, anyone is welcome tho join Orizon, and please do it.
If you are a C#, Java or ASP skilled developer and you want to share your experience with such languages feel free to use mailing list to contribute in Orizon supported languages.

If you are a Java skilled developer why don't you think about writing some bunch of codes for Orizon?

If you write quite well or, it's not so difficult, better than me, please think about joining the project for documentation, advertising, blog maintenance ...

We hope you find the OWASP Orizon Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Orizon Project mailing list or view the archives, please visit the subscription page.